On 11/26/2015 07:53 AM, John R Pierce wrote: > On 11/26/2015 7:43 AM, Alice Wonder wrote: >> >> Private Network A: 192.168.10.0/24 >> Private Network B: 192.168.20.0/24 >> Private Network C: 192.168.30.0/24 >> Private Network D: 192.168.40.0/24 >> >> A will have a NAS. I can reach it from Internet (via port forwarding) >> and B and C (routing table) but from it, I can not connect to Internet >> or B, C, D. That network which likely will only have a few devices can >> not initiate connection to Internet or the other networks. >> >> B is my trusted home network. It can connect to Internet (NAT) and to >> A (port forwarding) but can not reach C or D > > B->A should use routing, with whatever port restrictions/packet filters > you feel are appropriate. NAS file sharing protocols don't much like > NAT/port forwarding. > >> C is untrusted home network. Things like my TV and Bluray player that >> need Internet access but that I don't want to have the ability to >> reach anything on B, but I do want them to be able to talk to NAS on A >> via port forwarding. I'm always paranoid about those devices on my >> network, I don't trust what they are doing. Call it tin foil but I >> don't trust them. Yet they don't work right without access to Internet >> (updates / netflix) > > again, routing + packet filters for C->NAS. >> >> D when used is network for guests (will have cheap wifi attached), it >> only talks to Internet via straight NAT and can not talk to private >> networks A, B, C > > > not sure why D needs to be seperate from C, I'd probably treat the TV > stuff as Guest too, and have them on the same subnet. > > you don't use any wifi devices yourself, laptops or tablets or phones or > whatever? A potentially better solution would be wifi with a 'nocat > splash' portal page that you need to log into for unrestricted network > access, otherwise you're on the guest network. this can be done > various ways. I do use wifi myself but I was going to attach a WAP to B as well my home wired network. I could combine D and C but the idea was to not have an open wifi router that can be used to access A > >